Week 06

First ever SHA-1 collision

February 26, 2017 by Leave a Comment

Researchers from CWI Amsterdam and from Google proved for the first time it is possible to have two different documents with the same SHA-1 value. The teams were able to do this with two different PDFs.The SHA-1 hashing algorithm is outdated but many applications still support it including Github. What this means essentially is that you can take a secret document, Document A, and alter its data (bits) to effectively create a new document, Document B. You could hash both documents with SHA-1 and get the same hashed value (BHGUYU^%$&^$*^&!). Let’s say someone was sending Document A across the Internet but while en route, the document was altered to create Document B. The recipient, expecting to receive Document A, would not know the difference based on the hashed value. If you are encrypting your data based on SHA-1, don’t be too scared right at this moment, however. It took the team 9,223,372,036,854,775,808 SHA-1 computations, 6,500 years of CPU time, and 110 years of GPU time to create the matching hashed values. Most people aren’t able to do this in their basement…..yet.

https://www.theregister.co.uk/2017/02/23/google_first_sha1_collision/

Blockchain’s New Role In The Internet of Things

February 25, 2017 by Marcus A. Wilson 1 Comment

Blockchain’s New Role In The Internet of Things

http://www.darkreading.com/iot/blockchains-new-role-in-the-internet-of-things/a/d-id/1328239

This article discusses the use of distributed consensus algorithms that combine both performance and security to prevent DDoS attacks such as the Mirai botnet attack that took down Dyn in October. Due to the large number of IoT devices the severity of DDos attacks have increased. By using a distributed consensus architecture you can prevent the attacker from targeting a single server and making them target several servers. This technology is currently used in Bitcoin and other transactional technology but due to performance restraints it hasn’t been a reliable option for DDos defense. However, there are firm developing distributed consensus technology that can handle the performance and security demands.

Everything You Need to Know About Cloudbleed, the Latest Internet Security Disaster

February 25, 2017 by Mauchel Barthelemy 1 Comment

Change your passwords now! Believe that this is the best way to start warning you about what I’m about to tell you. In case you have not heard, Heartbleed 2.0 is here and it is called Cloudbleed. This is the latest vulnerability researchers uncovered within Cloudflare’s systems. According to Adam Clark Estes, a Gizmodo writer, Cloudflare is one of the world’s largest internet security companies and its clients list includes companies like Uber, OKCupid, 1Password, FitBit and so on. As the author suggests, do not try to find out the complete list of affected websites because it is safer to change all your passwords since it is something people should do regularly anyway.

It has been reported that Cloudflare’s backed websites had been leaking data for several months before the bug was noticed. it will take some time before the level of destruction caused by Cloudbleed is determined. In the meantime, Cloudflare finds itself in a race to rush and hunt down all data stored elsewhere before hackers find them. It will be interesting to learn the evolvement’s nature of Cloudbleed. Again, the best defense against this so far is to change your passwords and apply two-factor authentication wherever possible.

http://gizmodo.com/everything-you-need-to-know-about-cloudbleed-the-lates-1792710616

Hacking WordPress 4.7.0-1 – Exploiting the Exploitable

February 23, 2017 by Scott Radaszkiewicz 1 Comment

Article Link

This article details a vulnerability in WordPress 4.7.0-1 that allows a user to change any blog post. The article takes you step by step through the process of exploiting the vulnerability.

I found this article intriguing since we are using WordPress for this course. Rest assured, the version we are on is version 4.7.2, and my research says that this vulnerability has been addressed in this release.

Hackers who took control of PC microphones siphon >600 GB from 70 targets

February 22, 2017 by Jason A Lindsley 1 Comment

Hackers compromised PC microphones using malware embedded in Microsoft Word documents. The attack targeted companies in several industries, including critical infrastructure, news media, and scientific research. The data was siphoned via Dropbox accounts.

The article states that organizations typically don’t prevent end users from accessing Dropbox. In this day in age, that needs to change. DLP strategies for companies in each of these industries should be blocking these cloud sharing sites. Any exceptions to these blocks should be closely monitored.

On another note, I would hate to be the one that had to listen to hours of audio to try to find the sensitive information, intellectual property, trade secrets, and research data!

https://arstechnica.com/security/2017/02/hackers-who-took-control-of-pc-microphones-siphon-600-gb-from-70-targets/